Snapchat says it’s “just impossibly sorry” for a recent data breach that exposed payroll information of some current and former employees on Friday.
The Snapchat data wasn’t stolen by a coding mastermind who penetrated the company’s servers using some unknown flaw. Instead, it was stolen by an attacker who exploited a much simpler, more human vulnerability: trust. The attacker pretended to be Snapchat chief executive Evan Spiegel and tricked an employee into emailing over the information, according to a blog post the company posted Sunday about the incident.
Roughly 700 current or former employees had information including their names, Social Security numbers and wage data compromised in the attack, according to the Los Angeles Times. Snapchat declined to confirm those details to The Washington Post or to comment further beyond the blog post.
The incident highlights one of the biggest challenges for companies struggling to protect sensitive information: Even if your technical security is up to snuff, your people may let you down.
It’s no secret that people make bad security choices. Just look at the laughably bad passwords like “123456” and “password” that keep showing up in breached data troves. But companies are, of course, made up of people people who can make the same type of mistakes in the workplace that they make in their personal digital lives.
In fact, the “human element” was the root cause of more than half of security breaches according to a 2015 report from tech trade association CompTIA. Yet that same report, which was based on surveys of hundreds of US business executives and technology professionals, suggests that companies may not be doing enough to prepare their workers for a world where a new scam might be in their inbox everyday.
Despite the scope of the problem, only 30 percent of companies rated the “human element” as a serious concern and just 54 percent offered some sort of cyber-security training, most often as part of new employee orientation or an annual refresher course, according to the report.
The Snapchat case is a good reason why it’s important for companies to think about their people as a key part of keeping their data safe. Just ask the social network, which is now working with the FBI to investigate the employee data breach and providing two years of identity theft protection to those affected.
“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” the company said in the blog post. “To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks.”
Snapchat had security woes in the past. A few years ago, a bug left the usernames and phone numbers of users exposed and one group exploited it to release information about 4.6 million accounts, apparently in an effort to highlight the company’s lax security practices. But the latest breach only affected current and former employees, according to the blog post.